Re: [users@httpd] SSL headers through proxy

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 
You don't say what version of Apache you are using. Hopefully, you are using at least Apache 2.0.52, because what you want to accomplish can't really be done with earlier versions. You do want to use mod_headers and mod_proxy (sort of), but what you are missing is mod_rewrite. The following is a snippet that you can place in a <VirtualHost> that should get you what you need: 

    RewriteEngine on

    # Get the SSL Client cert data, if present, and store in a temporary
    # environment variabe, after we store it a RewriteCond backreference
    # and then add it as a header for the proxy request

    RewriteCond %{SSL:SSL_CLIENT_VERIFY} (.*)
    RewriteRule .* - [E=SSLC_ON:%1]
    RequestHeader add X-SSL-Client-On %{SSLC_ON}e

    RewriteCond %{SSL:SSL_CLIENT_S_DN_CN} (.*)
    RewriteRule .* - [E=SSLC_NAME:%1]
    RequestHeader add X-SSL-Client-Name %{SSLC_NAME}e

    # mod_rewite proxy request, uses a loopback to diff port on same server
    RewriteRule ^/(.*)$ http://127.0.0.1:8080/$1 [P,L]

-Brian


Luiz Gustavo Anflor Pereira wrote:
I am trying to pass the cliente certificate through an apache configured with mod_ssl, mod-proxy and mod_headers.
The idea is the client being autenticated in the apache server, but the certificate being available to the backend server, something like this: 

client <==> apache server (mod_proxy) <==> backend server
I need the client certificate in the backend server. All connectios are SSL/HTTPS. 

I have tried all this configurations, but none worked.

#RequestHeader set SSL_CLIENT_CERT "%{SSL_CLIENT_CERT}e" env=SSL_CLIENT_S_DN
#RequestHeader set SSL_CLIENT_M_SERIAL "%{SSL_CLIENT_M_SERIAL}e" env=SSL_CLIENT_S_DN 
#RequestHeader set SSL_CLIENT_I_DN "%{SSL_CLIENT_I_DN}e"
#Header add  SSL_CLIENT_CERT "%{SSL_CLIENT_CERT}e" env=SSL_CLIENT_CERT
#Header add  SSL_CLIENT_I_DN "%{SSL_CLIENT_I_DN}e" env=SSL_CLIENT_I_DN

ProxyPass               /js      https://.....
ProxyPassReverse        /js      https://....

If you could help me i would thank you so much... :-)

Regards, Luiz Gustavo


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
  "   from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux